VAR500 Execs: What Customers Want In Security

Security is the lifeblood of every business. Not protecting your data, or protecting the wrong data, is tantamount to giving your business away. But security is not a silo of protection; rather, it is woven into the entire organization holistically. "Security is everything," says Mont Phelps, CEO at NWN (VAR500 rank 181). "Now, it's ubiquitous. You need security in everything."

That sentiment is borne out by the numbers: Gartner reported last year, that while other segments of IT were being cut or remained stagnant, enterprises in North America spent roughly 5.5 percent of their overall IT budgets on security, more than Asia-Pacific region (5 percent), Latin America (4.8 percent), and Europe, the Middle East, and Africa (4.3 percent). CRN's own research found that 68.7 percent of VAR500 companies sold either basic or enterprise security, or both.

What areas hold the most opportunity? Mobility, back up, cloud computing, and compliance are among the areas where solution providers are picking up keen interest from customers. Start with mobility. A recent Gartner report notes that the mobile app industry will almost triple in 2011 to $15.1 billion. Not only are the devices themselves getting attention, but the idea of using personal portable devices at work are also gaining traction -- much to the consternation of IT departments that are trying to maintain a secure business community. That combination of factors means there is an opportunity for solution providers to not only sell and develop more mobile applications, but also to create security solutions, protecting networked computers from the perils of the outside world. Here is a breakdown of areas where customers are focusing their interest.

Mobility "The hottest security trend right now is in mobility," said Gary Fish, president and CEO of FishNet Security (2010 VAR500 rank 162). "Everyone wants to use their personal mobile devices at work. The challenge ahead is figuring out how to do that securely: how to keep personal data separate from work. We'll be finding solutions to make them more secure."

One big issue for companies is that there is no encryption on the most popular devices, because they are generally made for consumers, who aren't normally interested in encryption.

Today, increasingly, employees are carrying around downloaded work documents on their personal devices, which are generally more convenient than lugging around a laptop. The commuting employee, then, could, for example, take a few minutes to update a few numbers for a presentation on a cab ride to the client. "What happens when someone loses a device? How do you remotely wipe it? That's a big issue," Fish concedes. "We all have left a cell phone in a cab at one point or another. You've got to be able to remotely get to it and wipe it clean. And you also have to have the ability to know all your devices' whereabouts."

The risk of losing data -- whether in a cab, by accident or by malicious intent is also a concern for companies. Backing up data, therefore, becomes a crucial part of the security equation.

"We're seeing a lot of movement in backup technology," says Jim Lippie, Thrive Networks president. Many SMBs use tape backup solutions, and to abide with compliance regulations, they are required to be offsite. Ironically, every time a company stores its data offsite, it takes a security risk; leaving it onsite leaves it vulnerable to other hazards, such as inside theft, or loss due to fire.

"Technology has helped security evolve by taking the human element out of the equation," notes Lippie. Today, the average SMB does not have so much data that it requires a tape solution. "We sell an appliance where all data resides, it's saved in 15 minute increments, and transmits into their cloud. They have both local data and what's in the cloud. There are countless stories of tapes stolen or misplaced. That's a huge security risk. [Our solution] is cost effective, stores 2 to 4 TB of data, and is a great solution at a reasonable price that gives onsite backup and business continuity all built in. We see it as a huge trend."

That's a huge trend that has helped Thrive, a unit of Staples Business Solutions (2011 VAR500 rank: 13), see exponential growth in the second half of 2010, says Lippie. It doesn't hurt, also, that a growing number of customers are becoming more comfortable moving applications -- and data -- to the cloud.

The Cloud In today's data centers, security is pretty much built in. When systems move to the cloud, companies need to know what risks they might be facing. "A lot of our discussions with customers are becoming about the cloud: Infrastructure, platform as a service, software as a service, etc. They want to know what they should think about," said Joe Leonard, Security Practice Manager at Presidio Networked Solutions, Mid-Atlantic.

Presidio (2011 VAR500 rank: 65) has created a practice around cloud consulting -- helping customers determine what best practices for security in the cloud should be, and perform an analysis of what they need to achieve their goals. For companies already in the cloud, Presidio does an evaluation of the controls that are currently in place. Particularly in terms of governance, risk management and portability, companies need to be able to answer questions about how information is disseminated, how it is being stored, and who has access to it. The questions can be daunting: "If your cloud provider went under, do you have a plan for that? Is your data really gone when you wipe it off? How do you handle ID access controls? Privileges? Disaster recovery? Do you have proper controls in place to keep your data secure?" asks Leonard.

With so much of security dependent on how a company runs itself, and how well it adheres to its own set of stated requirements, compliance has become a lucrative arena for solution providers.

Compliance "I'm seeing a lot of services and product around compliance. Right now, it's really hot. I own a software company [Secure Passage] that offers a firewall management product, FireMon. FireMon deals with compliance. People are driven by the compliance verification process, which takes time and is costly," says Fish. "A lot of this compliance stuff is best thing that happened to us."

That's because companies don't always have the appropriate manpower to put behind preparing for audits, so it poses operational and security worries for everyone. Enter the VAR opportunity. By automating compliance analysis and the change management process, and by documenting why access exists inside of the normal business process, organizations can achieve continuous firewall compliance while reducing operational cost and effort, says Fish. What about the rampant compliance headaches and nightmare audit stories? "Some security professionals do welcome compliance audits -- most of these are things you should be doing anyway. And compliance definitely makes people more secure."

What both solution providers and their customers must recognize is that security is constantly evolving. The growing hacker community coupled with the rate at which new threats are released means that more than ever, VARs have an opportunity to be the watchdogs for companies that don't have the resources to do it themselves. "Security is a series of trade offs," says Phelps. "The question is: How much do you want to compromise? It's hard to be 100 percent."